Final Fantasy 14‘s latest patch was supposed to make an adjustment to the MMORPG to help combat mods that could potentially enable harassment, but players have found that developer Square Enix‘s efforts to do this haven’t removed the issue entirely.
Previously, Final Fantasy 14 introduced what was supposed to be an improvement to its blacklist feature, allowing players to block all characters tied to an account when they block one of them.
In theory, this should have reduced the chances of players being harassed, but players discovered that, with this new feature, every player had a unique account ID, broadcasted to the game’s client.
This ID is supposed to be invisible, but a mod that could access it soon surfaced – neither personal information nor payment details could be accessed this way, but needless to say, it wasn’t good news for players who were now faced with the possibility of others tracking down all of their alternate characters using their account ID.
With Patch 7.2, Square Enix has outlined changes to the blacklist, noting that, “to help prevent the identification of account IDs that are not displayed in-game, relevant saved client data has been reset.”
Anyone you’ve blacklisted will remain blacklisted, but their character names have been removed, and will only be visible if you block them again. Furthermore, fans investigating the situation found that some level of account ID obfuscation had also been put in place, but this apparently isn’t enough to stop the problem at all.
“After a *lot* of testing and a group chat full of my smartest FF14 friends, we have figured out the obfuscation is vulnerable, and that the account IDs are actually reversible,” one player who goes by NotNite writes on Bluesky. “[Square Enix] needs to stop sending the account ID entirely to clients and just set a hidden flag or something.”
Continuing, NotNite explains that “this functionally means nothing to plugins like PlayerScope” – the mod that was previously used to identify account IDs – the only difference is “they need to work slightly harder and discover the algorithm on their own.”
NotNite and their friends have reportedly already “been able to deobfuscate several account IDs (of friends with consent) with a 100% success rate,” but they understandably aren’t sharing the details of how it’s done beyond noting that “it is very easy to do.”
NotNite is calling on Square Enix to fix the flaw, and “fix it properly.” They allege that “it’s a security risk,” and that “they should not obfuscate this information, they should completely stop sending it to the client.”
Needless to say, Patch 7.2 hasn’t brought the reassurance that players left feeling uncomfortable by the blacklist exploit saga were hoping for. Clearly, though, Square Enix wants to see this issue dealt with, so hopefully the developers can make another attempt to solve it for good.
